Exam CISSP topic 1 question 289 discussion

It is A. It can not be b, because certification management was not asked. CRL is Revocation List only.

A is correct. B... just because you guys hear " policy " and click it... read closer and stop trying gimmicks to get answers correct. TPM is where cert related mechanisms are found. not in a ' policy '

check for a secure digital signature , not check the status of digital signature ~ Key Usage: Applications or processes running on the device can utilize TPM to perform cryptographic operations, including digital signature generation and verification. When generating a digital signature, the application can use the TPM-resident private key to sign the data, and when verifying a digital signature, the application can use the TPM to verify the signature against the corresponding public key stored in the TPM. above explain from GPT. TPM is the answer for this question.

B is not correct. CRLs and OCSP are 2 ways to obtain the revocation status of an X.509 digital certificate. refer question no.272. correct answer: A .

A TPM can be used for remote attestation, ensuring that a host is a known good state and hasn't been modified or tampered (from a hardware and a software perspective). TPMs can also seal and bind data to them, encrypting data against the TPM. This also allows it to be decrypted by the TPM, only if the machine is in a good and trusted state. https://quizlet.com/510817674/it-security-defense-against-the-digital-dark-arts-flash-cards/

CRL policy, checks certificate revocation status

Answer B) Certificate revocation list (CRL) policy The question is asking to check for a "secure digital signature". "Secure" is referring to valid/Up-to-date and not just having any "digital certificate". There is literally a Group Policy in Windows to check for digital certificates: https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::Advanced_CertificateRevocation More reading on how CRL is used with software: https://public.cyber.mil/pki-pke/admins/#toggle-id-3:~:text=Applications%20must%20verify%20certificates%20have%20not%20been%20revoked%20prior%20to%20relying%20on%20them%20for%20security%20functions%20such%20as%20authentication.

The answer is A: A TPM provides tamper-resistant hardware-based secure storage for keys/measurements needed to validate signatures or hashes before allowing access on a device. -A certificate revocation list policy manages revoked certificates but does not perform verification itself. -Key exchange and hardware encryption facilitate secure communication but do not explicitly handle pre-access digital signature validation which is the stated need. TPMs can securely store and use device keys needed to check valid signatures and hashes before launching apps or firmware.

B. The question asks for "to check for a secure digital signature". So checking for the signature. https://www.keyfactor.com/blog/what-is-a-certificate-revocation-list-crl-vs-ocsp/

What I understood from the question: The laptop has to validate the application digital signature (which is usually over a trusted signed digital certificate that carries the digital signature), before permit the access. In this case, Option B is the right answer.

Answer B A certificate revocation list (CRL) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their actual or assigned expiration date. It is a type of blocklist that includes certificates that should no longer be trusted and is used by various endpoints, including web browsers, to verify if a certificate is valid and trustworthy. The CRL file is signed by the CA to prevent tampering. What is a digital certificate? Digital certificates are used in the encryption process to secure communications and create trust in online transactions -- most often, by using the Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol. The certificate, which is signed by the issuing CA, also provides proof of the certificate owner's identity. https://www.techtarget.com/searchsecurity/definition/Certificate-Revocation-List

TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop).